News

System Restore After Bad Windows Update

The April 9, 2019 Windows Update is sending users into a login-loop or intermittent freezing. You may be able to use System Restore to move your machine back to a restore point before this Windows Update was installed (update KB4493472)

Do a System Restore

Turn off your computer. Count to 38.

Find the F8 key on your keyboard. Be prepared to press it quickly and repeatedly.

Turn on your computer, while quickly and repeatedly pressing the F8 key.

Choose to boot into “Safe Mode with Networking”

Go to the Start Menu–> All Programs –> Accessories –> System Tools –> System Restore –> Next. This allows you to view a list of restore points. See if there is a date available from before the installation of this Windows Update. (This Update was released on April 9)

If you are able to perform a System Restore, you will then need to follow instructions for hiding this Windows Update.

How Do I Block The Update?

Go to the Control Panel–>Windows Update. A link indicates that there are updates available for install. Click the link to view the updates, and look for the bad update. (KB4493472). Right click on update KB4493472 and “hide” the update.

If there is not a good System Restore date available, you will need to follow instructions for removing the Windows Update.

Bad Windows Update April 9, 2019

ITS is seeing many Windows 7 clients with spinning wheels, blue screens, stuck on a login loop and other tell-tale signs of a bad Windows Update from the April 9, 2019 release.

Which update is causing issues?

KB4493472 (Learn more about this specific update from Windows)

How do I get my computer going again?

Generally, booting into safe mode has been successful, and then removing the bad update. (See more about booting into safe mode). You can also do a Systems Restore.

How do I Remove the Bad Update?

We usually see computers stuck at the login screen. Do a hard shut down if you are at this screen.

After shutdown, count to 38, or your favorite number above 30. Turn on your computer – as it was shut down improperly, it should prompt you with a set of options on how to proceed.

(If you were simply taken back to a login screen and are stuck again, you will need to boot in safe mode by utilizing the F8 key)

When you are presented with your boot choices, choose “Safe Mode with Networking.” When your computer loads, go to Control Panel–>Programs and Features–>View installed updates. Loading the list of installed updates can take several seconds – watch the progress bar at the top of the screen.

Use the search box in the upper right corner to find “KB4493472”. Right-click on this update and choose “uninstall”. You will be prompted to click “yes” two times – once to uninstall and once to reboot.

Your machine will reboot twice. After the second reboot, login as normal.

How Do I Block The Update?

How Long Should I Leave This Blocked?

We will watch for official news from Windows but would recommend leaving this update hidden until a new update is released.

What If I Have Managed Updates?

If your updates are managed by ITS, we have not released this update and some of these settings are blocked for you. We test new Microsoft Updates over the course of a week before releasing them to end-users or blocking the update to wait for a better release.

2019 K12 Cyber Threats

Many of the cyber threats that impact and target business entities had previously strayed away from school networks and domains. This school year has illustrated through a steady series of security events and breaches that school networks are now equally vulnerable and targeted by hackers, and that school networks may actually provide a more extensive and rewarding target for these attacks.

Below is a list of the threats we have seen on K-12 networks this year, and tips for preparing your staff for future cyber threats. The list is overwhelming and ever-growing. Please do not hesitate to reach out if you have questions about protecting your users from any of these scenarios.

Fake Boss Emails

The email below is a sample of what we call a “Fake Boss Email”, although many varieties exist. In these emails, the attacker will present themselves as a boss or coworker requesting a money transfer, gift cards, or other financial changes. The email will say the name of an actual coworker, but a closer look at the address will show you that it is a spoofed email and not actually from your domain. A closer read will also usually reveal some grammar, spelling or word choice oddities as well.

It is always a good idea to check with the person requesting the purchase or financial change in-person or via phone call – replying to the email is not acceptable because your reply is typically sent back to the attacker instead of your coworker.

Teach staff how to look for signs that an email is spoofed, and develop/review policies for processing financial requests. Anyone that has power and permissions to transfer funds, route ACH payments for payroll or process bills payable/receivable should consider additional training on spotting spoofed emails and know your policy for verifying financial requests.

You can also setup warnings in your Google Apps Domain to alert users that an email came from outside your organization. Read instructions for adding an external sender notification and Adding enhanced phishing and malware notifications and let us know if you need help adding any settings or policies to your email domain.

Sextortion Emails

These emails are especially frightening because they generally contain actual passwords that you have used in the past and claim to have access to your computer along with proof of unseemly browsing history.

The likely explanation behind this type of email is that one of your passwords was at one point compromised from a breached site: Target, Experian, DropBox, and MyFitnessPal are all sites that have lost usernames, passwords, and email addresses in the past few years.

If a specific password was referenced in the email and it is a password that you currently use, change it and stop using it on all sites/logins. Although these emails indicate the hacker has access to your computer, we have not seen this to be true.

Key Logger Viruses

Viruses can come from a variety of sources and present in a variety of ways. Viruses can be downloaded unknowingly from hacked websites, from clicking an email attachment, or from opening Microsoft Office documents that are infected. An especially problematic type of virus is a key logger.

If a staff member’s computer is compromised with a key logger virus, then anything the staff member types on their computer could also be compromised. We have seen this type of attack reach to personal Amazon shopping accounts, personal bank/credit card accounts and even social media credentials. Key logger viruses can also harvest credentials and information that help them reach other computers and servers on your network.

A solid endpoint protection or antivirus software is the best way to contain these types of threats.

Ransomware

Ransomware cases have decreased this year, but it is very much still a threat. Ransomware is most often initiated through an email. These emails are typically phishing in nature, and may lead you to believe that they are from FedEx, UPS, Amazon, etc. and are trying to resolve an issue with your order.

Some ransomware emails have also impersonated shared documents and document sharing sites like DropBox, Google Drive, etc.

Whenever you receive an email with a link or attachment, you should always look at the sender address area before proceeding. Check to see if the sender name (Leslie Althoff) matches the sender address (Leslie@infrastructuretech.net) If I appear to send you an email from my name, but the address is 22bogus@gmail.com, you can delete the email and know that someone has spoofed my address.

If you receive an email that contains an unexpected attachment or unexpected link, hover over the item before clicking. If the address that appears in the preview box is the address you expected it to be and the rest of the email looks legitimate, you can proceed with clicking. If you hover over a link that says “Google Doc has been shared with you” but the hover information shows a .php file, you should delete the email. When in doubt check directly with the sender and ask if they meant to share that specific document or link with you.

Some of the same email settings mentioned above in the “Fake Boss Emails” section will help alert your users to ransomware. Training users how to spot scammy emails is also an important part of avoiding ransomware and viruses.

View more in-depth tips for checking emails for threats.

This Is Microsoft Calling

Phone calls from hackers pretending to be Microsoft or other service providers can present a double-whammy: calls could come into a school office or a staff member’s home. If a staff member accepts a call from “Microsoft” at school, they may follow given instructions to help the caller gain access to a computer/network or visit a specific website. The hacker could then deploy a virus, steal information, etc. If the caller accessed a machine with server access, other machines on the network could also be compromised.

If staff members (and even students!) take school computers home and receive a “Microsoft” call at home, allowing the hacker to access their school machine at home could later impact the school network. When the school computer comes back to work/class on Monday and checks into the network, any malicious files installed by the hackers while the computer was at home could then spread to other school machines on the school network.

It is important to train your staff to not interact with these types of phones calls: Microsoft will not call to provide technical support for your computer. If you receive a pop-up telling you to call an 800 number because you have a virus, this is also fake, Make sure staff know who your IT provider is if you use a third-party provider and what methods they use to communicate with staff and establish remote connections.

Learn more about browser hijacks – the pop-ups that appear and tell you that you have a virus, have downloaded a sketchy file, etc.

Phishing & Social Engineering Assessment

Did you know that ITS can provide a phishing and/or social engineering assessment for your District? Both of these assessments target a specified number of staff members, and present a series of emails that look realistic but follow typical phishing patterns. The behaviors of the email recipients are recorded and reported: Did they click? Did they give-up credentials? Did they delete? Schools can then provide targeted training for users that illustrate a need for more email security training.
Social Engineering assessments involve a series of phone calls, wherein a third-party attempts to gather information from a school employee over the phone. Information given to callers over the phone could violate FERPA and/or HIPAA, and could also inadvertently give out information that impacts school safety, network security and more.

Recent Email Scams

Several popular email scams and threats are cycling through inboxes; this is a great time to review email security tips!

The first email we feature is the “sextortion email scam.” This email alerts you that your password has been stolen and that the attacker has gained access to your computer. The attacker also enters into a blackmail scheme and requests Bitcoin, claiming that he/she has evidence of pornography on your computer.

Has your password really been hacked? Yes.

Your password was likely compromised in a security breach (MyFitnessPal, Experian, DropBox, etc) and posted online. If the sextortion email mentions a specific password, and it was a password that you used, you should stop using that password on all websites.

Does the attacker have access to my computer? No.

How should I proceed? Delete the email. If a specific password was mentioned, stop using it immediately and never use it again. Visit: https://haveibeenpwned.com/ to check a registry of email addresses and passwords that have been hacked and posted online.

The second email is one we call “Fake Boss Requests.” In these emails, company executives appear to ask for assistance with bank transfers or purchasing gift cards.

When these emails hit your inbox, they really do look like they are from within the company at first glance. In most cases, another look at the email address/sender information reveals a mismatch, or the grammar/spelling within the email message may seem off.

Recently these requests have become more sophisticated, warning the employee to not call the boss to check-in, as the boss is too busy and needs the transaction completed quickly.

How should I proceed?

If an email request seems odd or out-of-character, personally contact the sender via phone or face-to-face to ask about the requested transaction. Replying via email is not acceptable, as you may be replying to the scammer’s email address and not the address of your coworker/company executive.

It is also a great time to develop and discuss policies and procedures for banking transactions and financial requests. Make sure that your bank/bankers also have a security protocol for money transfer requests.

Train your phone handlers to be good gate-keepers; don’t let phone handlers give out email addresses, cell phone numbers, titles or names unless they can validate the request for information. Many email scams start with a simple request for information, whether actually calling your office, scanning your website for contact information, or gathering a list of contacts from a professional membership database.

This article is also available in PDF form to download and share.